Microsoft Teams has become a core platform in the new ‘work from home’ era and reflecting its growing importance, Microsoft has launched a bug bounty rewards program for researchers who find security flaws in desktop software.
Microsoft is offering up to $30,000 to security researchers in its Teams bug bounty with “scenario-based awards for vulnerabilities” if they have a big impact on customer privacy and security. Rewards start at $6,000.
The top reward reflects the growing importance of Microsoft Teams, which has 115 million daily active users.
SEE: Top 100+ tips for telecommuters and managers (free PDF) (TechRepublic)
The bug bounty only applies to the Microsoft Teams desktop client, which is available for Windows 10, macOS and Linux. The bounty does not apply to the Teams app for desktop browsers or the native mobile apps for iOS and Android.
The $30,000 reward is available for researchers who can clearly outline a remote code execution bug using native code in the context of the current user with no user interaction.
Microsoft is also offering $15,000 for a bug that allows an attacker to obtain authentication credentials for other users, but phishing is excluded.
It’s offering $10,000 for cross site scripting (XSS) flaws or other remote code injection that allows an attacker to execute arbitrary scripts in the context of teams.microsoft.com or teams.live.com with no user interaction. The same amount is available for researchers who can demonstrate a way to elevate privileges in a way that hops over the Windows and user boundary.
The $6,000 reward is available for researchers who find a XSS or other “code injection resulting in ability to execute arbitrary scripts in the context of teams.microsoft.com or teams.live.com with minimal user interaction.”
Microsoft is also offering general bounty awards for the Teams desktop app that fall outside the scenario-based awards, with rewards ramping up to $15,000.
Teams in the browser continues to fall under the Online Services Bounty Program.
Teams rival Zoom last year revamped its own bug bounty program with Luta Security.